buran | c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb

Analysis

max time kernel
149s
max time network
153s
platform
windows10_x64
resource
win10v20210408
submitted
30-08-2021 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe
Size

213KB
MD5

70d323a19c27af9c38bbda35359fd92f
SHA1

f89b2639344b438d9f20d9f6c88ec7333e9d6060
SHA256

c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb
SHA512

4e8a40d47d0253ef5f4e9676a925b27e5d7bda11b44a68404e0f4ceee69fc6647be8d38f9066ccb7e04b1cf6f352f6d702a55624a6732dbfd11858b3521bb8d3

Score

10^/10

buran smokeloader backdoor discovery persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 590$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 609-994-08D Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 6 IoCs

Processes:

CE90.exeD085.exesvchost.exesvchost.exebbcevdabbcevda

pid	Process
3952	CE90.exe
3748	D085.exe
2204	svchost.exe
3032	svchost.exe
4180	bbcevda
4208	bbcevda

Deletes itself 1 IoCs

Processes:

pid	Process
3020

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CE90.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	CE90.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	CE90.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	Process
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
25	geoiptool.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

D085.exe

pid	Process
3748	D085.exe
3748	D085.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exebbcevda

description	pid	Process	procid_target
PID 3008 set thread context of 3064	3008	c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe	77
PID 4180 set thread context of 4208	4180	bbcevda	109

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\JumboDeck4.jpg	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\AppxMetadata\CodeIntegrity.cat	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\ui-strings.js.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Double Wave.png	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-black_scale-200.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoInternetConnection_120x80.svg	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\download.svg.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\ui-strings.js.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireAppList.targetsize-96_altform-unplated.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\JpegSurface\JpegControl.xaml	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-200.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Maps.BackgroundTasks.winmd	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\selector.js	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.LEX.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\vlc.mo.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-It.otf.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\.eclipseproduct.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms	svchost.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Icon.targetsize-256.png	svchost.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\TryAgain\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\by_16x11.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-400.png	svchost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\blacklist.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.payfast.609-994-08D	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\progress.gif	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\ui-strings.js.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar	svchost.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\ui-strings.js.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-hover.svg.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\THMBNAIL.PNG.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconEditRichCapture.scale-100.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-white_scale-100.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-125.png	svchost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ui-strings.js.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\np_60x42.png	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML	svchost.exe
File created	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.payfast.609-994-08D	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.payfast.609-994-08D	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exebbcevda

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bbcevda
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bbcevda
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bbcevda

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
484	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

CE90.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	CE90.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CE90.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe

pid	Process
3064	c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe
3064	c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
3020

Suspicious behavior: MapViewOfSection 20 IoCs

Processes:

c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exebbcevda

pid	Process
3064	c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
4208	bbcevda

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

D085.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	3748	D085.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeIncreaseQuotaPrivilege	2444	WMIC.exe
Token: SeSecurityPrivilege	2444	WMIC.exe
Token: SeTakeOwnershipPrivilege	2444	WMIC.exe
Token: SeLoadDriverPrivilege	2444	WMIC.exe
Token: SeSystemProfilePrivilege	2444	WMIC.exe
Token: SeSystemtimePrivilege	2444	WMIC.exe
Token: SeProfSingleProcessPrivilege	2444	WMIC.exe
Token: SeIncBasePriorityPrivilege	2444	WMIC.exe
Token: SeCreatePagefilePrivilege	2444	WMIC.exe
Token: SeBackupPrivilege	2444	WMIC.exe
Token: SeRestorePrivilege	2444	WMIC.exe
Token: SeShutdownPrivilege	2444	WMIC.exe
Token: SeDebugPrivilege	2444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2444	WMIC.exe
Token: SeRemoteShutdownPrivilege	2444	WMIC.exe
Token: SeUndockPrivilege	2444	WMIC.exe
Token: SeManageVolumePrivilege	2444	WMIC.exe
Token: 33	2444	WMIC.exe
Token: 34	2444	WMIC.exe
Token: 35	2444	WMIC.exe
Token: 36	2444	WMIC.exe
Token: SeBackupPrivilege	8	vssvc.exe
Token: SeRestorePrivilege	8	vssvc.exe
Token: SeAuditPrivilege	8	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2444	WMIC.exe
Token: SeSecurityPrivilege	2444	WMIC.exe
Token: SeTakeOwnershipPrivilege	2444	WMIC.exe
Token: SeLoadDriverPrivilege	2444	WMIC.exe
Token: SeSystemProfilePrivilege	2444	WMIC.exe
Token: SeSystemtimePrivilege	2444	WMIC.exe
Token: SeProfSingleProcessPrivilege	2444	WMIC.exe
Token: SeIncBasePriorityPrivilege	2444	WMIC.exe
Token: SeCreatePagefilePrivilege	2444	WMIC.exe
Token: SeBackupPrivilege	2444	WMIC.exe
Token: SeRestorePrivilege	2444	WMIC.exe
Token: SeShutdownPrivilege	2444	WMIC.exe
Token: SeDebugPrivilege	2444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2444	WMIC.exe
Token: SeRemoteShutdownPrivilege	2444	WMIC.exe
Token: SeUndockPrivilege	2444	WMIC.exe
Token: SeManageVolumePrivilege	2444	WMIC.exe
Token: 33	2444	WMIC.exe
Token: 34	2444	WMIC.exe
Token: 35	2444	WMIC.exe
Token: 36	2444	WMIC.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

D085.exe

pid	Process
3748	D085.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3020

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exeCE90.exesvchost.exe

description	pid	Process	procid_target
PID 3008 wrote to memory of 3064	3008	c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe	77
PID 3008 wrote to memory of 3064	3008	c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe	77
PID 3008 wrote to memory of 3064	3008	c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe	77
PID 3008 wrote to memory of 3064	3008	c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe	77
PID 3008 wrote to memory of 3064	3008	c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe	77
PID 3008 wrote to memory of 3064	3008	c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe	77
PID 3020 wrote to memory of 3952	3020		79
PID 3020 wrote to memory of 3952	3020		79
PID 3020 wrote to memory of 3952	3020		79
PID 3020 wrote to memory of 3748	3020		80
PID 3020 wrote to memory of 3748	3020		80
PID 3020 wrote to memory of 3748	3020		80
PID 3020 wrote to memory of 3916	3020		82
PID 3020 wrote to memory of 3916	3020		82
PID 3020 wrote to memory of 3916	3020		82
PID 3020 wrote to memory of 3916	3020		82
PID 3020 wrote to memory of 2496	3020		83
PID 3020 wrote to memory of 2496	3020		83
PID 3020 wrote to memory of 2496	3020		83
PID 3020 wrote to memory of 3516	3020		84
PID 3020 wrote to memory of 3516	3020		84
PID 3020 wrote to memory of 3516	3020		84
PID 3020 wrote to memory of 3516	3020		84
PID 3952 wrote to memory of 2204	3952	CE90.exe	85
PID 3952 wrote to memory of 2204	3952	CE90.exe	85
PID 3952 wrote to memory of 2204	3952	CE90.exe	85
PID 3020 wrote to memory of 1920	3020		86
PID 3020 wrote to memory of 1920	3020		86
PID 3020 wrote to memory of 1920	3020		86
PID 3020 wrote to memory of 196	3020		87
PID 3020 wrote to memory of 196	3020		87
PID 3020 wrote to memory of 196	3020		87
PID 3020 wrote to memory of 196	3020		87
PID 3020 wrote to memory of 4084	3020		88
PID 3020 wrote to memory of 4084	3020		88
PID 3020 wrote to memory of 4084	3020		88
PID 3020 wrote to memory of 640	3020		89
PID 3020 wrote to memory of 640	3020		89
PID 3020 wrote to memory of 640	3020		89
PID 3020 wrote to memory of 640	3020		89
PID 3020 wrote to memory of 2096	3020		90
PID 3020 wrote to memory of 2096	3020		90
PID 3020 wrote to memory of 2096	3020		90
PID 3020 wrote to memory of 3676	3020		91
PID 3020 wrote to memory of 3676	3020		91
PID 3020 wrote to memory of 3676	3020		91
PID 3020 wrote to memory of 3676	3020		91
PID 2204 wrote to memory of 2768	2204	svchost.exe	92
PID 2204 wrote to memory of 2768	2204	svchost.exe	92
PID 2204 wrote to memory of 2768	2204	svchost.exe	92
PID 2204 wrote to memory of 2496	2204	svchost.exe	93
PID 2204 wrote to memory of 2496	2204	svchost.exe	93
PID 2204 wrote to memory of 2496	2204	svchost.exe	93
PID 2204 wrote to memory of 1408	2204	svchost.exe	97
PID 2204 wrote to memory of 1408	2204	svchost.exe	97
PID 2204 wrote to memory of 1408	2204	svchost.exe	97
PID 2204 wrote to memory of 852	2204	svchost.exe	95
PID 2204 wrote to memory of 852	2204	svchost.exe	95
PID 2204 wrote to memory of 852	2204	svchost.exe	95
PID 2204 wrote to memory of 1176	2204	svchost.exe	100
PID 2204 wrote to memory of 1176	2204	svchost.exe	100
PID 2204 wrote to memory of 1176	2204	svchost.exe	100
PID 2204 wrote to memory of 3032	2204	svchost.exe	101
PID 2204 wrote to memory of 3032	2204	svchost.exe	101

C:\Users\Admin\AppData\Local\Temp\c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe
"C:\Users\Admin\AppData\Local\Temp\c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe
  "C:\Users\Admin\AppData\Local\Temp\c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3064

C:\Users\Admin\AppData\Local\Temp\CE90.exe
C:\Users\Admin\AppData\Local\Temp\CE90.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:2768
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:1176
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:484
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3032
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4444

C:\Users\Admin\AppData\Local\Temp\D085.exe
C:\Users\Admin\AppData\Local\Temp\D085.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3748

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3916

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2496

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3516

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1920

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:196

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4084

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:640

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2096

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Users\Admin\AppData\Roaming\bbcevda
C:\Users\Admin\AppData\Roaming\bbcevda
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4180
- C:\Users\Admin\AppData\Roaming\bbcevda
  C:\Users\Admin\AppData\Roaming\bbcevda
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:4208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
5703edef7cb0f99305a6b18845e0443e

SHA1
fb6f022ebde210306e1a6575462d6451e98af454

SHA256
e4ce02059eb175c30879041d610db7b8798cdf57a4c67afc83c125c2db36e883

SHA512
4631853bda1498ff3cace6a348fd2d6770edd0fec166707c3afebff09644f34e29a7a6dd3e9cb167c40e8b5fa1fbbc80ba26d80b4d939daf56278c276b07ada4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
888f7457c332ac5e1897316e159f58c1

SHA1
a3047c6e978158dfae29b5735e8131ec1b30703d

SHA256
c2c14652875bfeb1ed529202da6d45eb974acab193c005908cf90b8c5cf3dd41

SHA512
0abdc5f78ade2f56b0f1954adc0479b5dcc88d401bfac95754e7dd80adefe7375a426fd89f81b657ebe9c113092524dcbd1e80c39a4bec51ccd93bc0bc3a5aff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
939460925953ce88e1086341b8a11bda

SHA1
06249b891050a9fac128ccfee943aeb5bede1c7b

SHA256
d4da3c5ff04a3b677eb77b1bfedc14e29ebd0d01c476d44a0b1a2366447ab016

SHA512
a8dc3eb58a4a550cc2551463a3d813396caf3f2b65f5b13c8e339a4a32652895ee15c23eb5ba833eca4e7c22331a622657cf5bd64098f0c54e43b4e92fe65f30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
0367a6bdbf7235b96fb006d309052722

SHA1
0a113a1948d491744c2913083c61dd991adbea3b

SHA256
4b84534e1f3dd55417448b2ba5d8f06f038d0bf260f6f52078ab00b43e22592c

SHA512
09a20963b70336b7030d797223ae41de65af3607d0a27d7f591e26872571af97784218fde242c6e7a4c4eb240461ba9d9230205144b6312d87ff4946e9808629

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
f246ec773a5c29d9dfb356014bf0ae52

SHA1
fafdb5fb6e94ce53031af9e3cbbf6a00d20706bd

SHA256
4cf8022624257ea7e82f7f7b86c520d63911228c3ffd58fb9f225c756320cdd8

SHA512
2fbbfbf82016f78a3c607ad92a1b3ad9440e8cfb37103530d55e7c4f60774f9233e327a91d69ddadf5e66e6c8b806f7658f55350e190ef1313208e3b74882f59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
f72ab213993e15d56effccc8854bf376

SHA1
ca258afd23c1887f9fc976659e1fd883d562f546

SHA256
401bc09a1a0f753e7d4751fd946a318e044363cff9dd2d06f8fba8594c3785ce

SHA512
fb518cc1aeec6f902c09a719cf8ba3546f5e7e09f421031d83d0c815e63e746262e47c28a88a1dfebf2ff47c18515b9442183bf35b26e3adde0ef2a8184082e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\HK9C7L5O.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\VBCLHRUB.htm

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE90.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE90.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\D085.exe

MD5
3242c783cee6fb3e589e6d3e9bad0281

SHA1
fdbf09b5a42d9a93a6515cf65630b033e0ec8dce

SHA256
71b23e033bd17225d74d832b3a4d243fb4bfc72b7f864248191443d9c1023026

SHA512
d3d06c35c737c190a2939869b126a494c6ec05b6608ffb59b15f09d93a61a23fb28176330c512650c0611bb4155ea1b098be3a157d5a85826635ed6602175994

Download Submit
C:\Users\Admin\AppData\Local\Temp\D085.exe

MD5
3242c783cee6fb3e589e6d3e9bad0281

SHA1
fdbf09b5a42d9a93a6515cf65630b033e0ec8dce

SHA256
71b23e033bd17225d74d832b3a4d243fb4bfc72b7f864248191443d9c1023026

SHA512
d3d06c35c737c190a2939869b126a494c6ec05b6608ffb59b15f09d93a61a23fb28176330c512650c0611bb4155ea1b098be3a157d5a85826635ed6602175994

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\bbcevda

MD5
70d323a19c27af9c38bbda35359fd92f

SHA1
f89b2639344b438d9f20d9f6c88ec7333e9d6060

SHA256
c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb

SHA512
4e8a40d47d0253ef5f4e9676a925b27e5d7bda11b44a68404e0f4ceee69fc6647be8d38f9066ccb7e04b1cf6f352f6d702a55624a6732dbfd11858b3521bb8d3

Download Submit
C:\Users\Admin\AppData\Roaming\bbcevda

MD5
70d323a19c27af9c38bbda35359fd92f

SHA1
f89b2639344b438d9f20d9f6c88ec7333e9d6060

SHA256
c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb

SHA512
4e8a40d47d0253ef5f4e9676a925b27e5d7bda11b44a68404e0f4ceee69fc6647be8d38f9066ccb7e04b1cf6f352f6d702a55624a6732dbfd11858b3521bb8d3

Download Submit
C:\Users\Admin\AppData\Roaming\bbcevda

MD5
70d323a19c27af9c38bbda35359fd92f

SHA1
f89b2639344b438d9f20d9f6c88ec7333e9d6060

SHA256
c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb

SHA512
4e8a40d47d0253ef5f4e9676a925b27e5d7bda11b44a68404e0f4ceee69fc6647be8d38f9066ccb7e04b1cf6f352f6d702a55624a6732dbfd11858b3521bb8d3

Download Submit
C:\Users\Admin\Desktop\BackupRename.mpeg.payfast.609-994-08D

MD5
6cc4ab7170ba8f9edf0ae62879f54f8f

SHA1
4313cccefcf5f819a52930f6c88199bca598bbe9

SHA256
462112d1063f572e56231ae7d96066949ab4069ba254464ffd027b7ab4a5357d

SHA512
258b3692097ccb19a32a6e4e6c62671dc24b6140bae47736f46ffccd068dbd7bc86f1ae8821fdf57bc72da4ba7d16ecedfc7ecbd25578f6b11f865f2ff4ebb25

Download Submit
C:\Users\Admin\Desktop\CompleteEnable.m3u.payfast.609-994-08D

MD5
7d8db7771765cff840813ebdb7832a7b

SHA1
c19a933c25f8586d69e228ea831c8197583bbf06

SHA256
a461da88779dde321eb825ac29fa41221130c13b729c20bbc57ed1fca2170877

SHA512
0f252860c46656e35ae58e2084e9526951916d5c657775ca7dcb48556b856ef26f17153663df2af68a8aaf536b161136cf67e6076ca868bcdf9122d7073e35f8

Download Submit
C:\Users\Admin\Desktop\ConnectAssert.easmx.payfast.609-994-08D

MD5
7438819ff44f6ac4206c92b5d9693fe7

SHA1
82ee51e8be844f96a8a5e6dc622e558271343ba5

SHA256
4a30bc6d2c96f7578f7311af8cac9be36bcfe209d1e631d0453c8a956f43e715

SHA512
59551b7c5582ff2fdc105ace11b63f1062c69f37e312a038f06d660fb7e982cb459e61520ed141d8059faf998461a2178b003b6364deba2dc355ceb7a5a9468f

Download Submit
C:\Users\Admin\Desktop\ConvertInvoke.wmv.payfast.609-994-08D

MD5
2a28fa6eefdc636b30efdbf976952995

SHA1
8fba1440a1b26d07a9226b89fedd68884ed86f93

SHA256
79af5dfe0cd1591b2ec4cad1a3d486a2dfa6c33b77e6b70312752ce1f326983f

SHA512
51f5dfe45e489834c4af22300997d517ffae891589a57d1c522a0d8ae68cb53b542b62a48f13f1effe0e0f9df1895d3ce7847db6b46c69bfc58749c4e9043983

Download Submit
C:\Users\Admin\Desktop\CopySync.emf.payfast.609-994-08D

MD5
838e9409e76daef9a2e5536a3cadb734

SHA1
3b05a78eb9a274624f42a52e58082e0e8eddda8e

SHA256
335143ad86d7d37cf79cb268dbeda51f91cb9a3f62f305167839d4e47536e95e

SHA512
8060ffa749f27a725270560ae8c85440b6ff2641a1bd6339dde5e8f7209383eaab8e2fc20b09281f1e6cfb366d76d49ab11ad2945ba56902cc036da110701c7f

Download Submit
C:\Users\Admin\Desktop\DebugWait.ini.payfast.609-994-08D

MD5
fbb18bf8fbbb9de3811563efaa6552b1

SHA1
8fc595d178cd632a1d05efea0f89036a36f3ddf7

SHA256
3da8488a943ed46d0275d5a9c065761500687b49b2a1f6b672df62df15e4c902

SHA512
3f6451e6f833006c80398b30fdcc5e585592859056974b40bd12fffccfd48dbc459701ab564642130b47c953befc2cec7d52b5f56cd917771e1961a6f11a8bf7

Download Submit
C:\Users\Admin\Desktop\EnableStop.vsdx.payfast.609-994-08D

MD5
1f5fe9dad2da15242c7391e0f7d4a95c

SHA1
44a965a2639f7234fe774da9eaadd649290802ee

SHA256
c7ae8e064050a618c4ebe6a104ca7a0dbb776d141b1edad51a32c87089876cc8

SHA512
3603f8201cb128afd6790d673c68e697563268dc7d0835149f65fdb8af58b520c73d5166a64b629e68b65743a622f2b82a4914b7ad447d45b9a7ee73312d52f3

Download Submit
C:\Users\Admin\Desktop\EnterHide.rtf.payfast.609-994-08D

MD5
b94bb85ac8a26c9c1c507c32cbde7a02

SHA1
20cb74bf74cd2ced1f5374b8aba6f001f13ed250

SHA256
0135e1a1777c8635b4cfd192fc7d3fa61a0ce79e6166dcdf4fea0e5081fe25e2

SHA512
e3b3348ca56ca97328eeb7df8516311bbccefeaee482b6f34797e18c6454100bdedf0d43157bae545028fbd39ef6cf2f4a9e214cfb0344f007244dbd6a67da01

Download Submit
C:\Users\Admin\Desktop\ExportAssert.asp.payfast.609-994-08D

MD5
8ea73c1c445656c80d24d67826237dcb

SHA1
e6570e22a57010a1c59ee321e37b8ce1faffaaec

SHA256
c135a32b0dde2dd333941c55147e9b2e78c1c583f0755bd863eaae66f20e8f53

SHA512
9799152eca1673b2333b1bdaf33a66f1787785b2e4077b91e6701da989524a43aceabc71e93a5d8ff50329a46cb7a54f5385fa72220c89ed213aee512a85084a

Download Submit
C:\Users\Admin\Desktop\ExportProtect.pub.payfast.609-994-08D

MD5
012b30cb5ccb9a8f9ab92677539b8b66

SHA1
024e4810a3955f9ccbf9d9b0336784c5a504d7d2

SHA256
a1037afaa469704493cdf2ab6430929f3ef28e32abcc831f94f9963c9e38cead

SHA512
ef44e4597b22e90481683fdea89de754c80b3bdd4f949aa1e56c4b09074acadf4388ea1f0b5cc01bbb86b8b199a81881167194a399e69aec1170fb47d50dd11b

Download Submit
C:\Users\Admin\Desktop\JoinOpen.vb.payfast.609-994-08D

MD5
7c3176d728046d5c895698a48ee3814d

SHA1
6b6e01e1a2c9640f7d8748945012156bacae99a2

SHA256
2697f491979b9c122c0b59086a17b8d32870334718c25e084473754eb7c55b0b

SHA512
fc51105a57f9a86cc0f5c63d447a6ad69e672dbf370839443d6c444af45d530d977b28ab2082bff6dd20fa63e1c72838cbb83b75c54ce98471b32078e6c81bce

Download Submit
C:\Users\Admin\Desktop\MountCopy.gif.payfast.609-994-08D

MD5
4e9114f3972c7e37ce38356b2e380603

SHA1
99697f6919ece21e7a10c8595b4aab35e68e504b

SHA256
92680e3ee93ac741b4c1e70fec1d5d65338bd95975911382a50ebcf2f58fb01f

SHA512
30f0a8399a2d0b59e2606150b89233adf8c3118eadfe88968ac51224332969da3f14b4797e75b091c1e8739d0df4f44927b42c695971d1d428018435437e90ab

Download Submit
C:\Users\Admin\Desktop\OutCompress.3gp2.payfast.609-994-08D

MD5
65e40f1c6fca9fc4d5ea2cd48964cae7

SHA1
b8e87b8449597cbeeb2a6d28bf44ea353b85454e

SHA256
96ec8b4cf95de8db1f9a74587d2d33218de9c4005524ee92797d17219003236a

SHA512
793947f39556385c028f0f7d676351552516393aaf72931fdbf1ab58536d81100cfaf4048185110471d044bc936e92e2900282d68981f975f92e0f16d670850a

Download Submit
C:\Users\Admin\Desktop\OutDisconnect.nfo.payfast.609-994-08D

MD5
fbccdef006cda994ef8ab4294bee6439

SHA1
259ded888c2effac2298e30286fb125353b54262

SHA256
212213a6bf44e7a884b36b5109bfc4a65e8761ce0ce431dfb555637a5a88ac19

SHA512
24502484e5013ae4a054d0856a5ae2f8531d6810ca6af18949569c85f9f8ca8124e3c75ab67dea0247111b298dd3db5f64c079f379bc4c9062729594986763ae

Download Submit
C:\Users\Admin\Desktop\PingTrace.odp.payfast.609-994-08D

MD5
eac05c77e7b993fa8fd4d23ae291ccc9

SHA1
1b311e6ade0132fa58a0853e162209c7ad07ea1b

SHA256
f563b6446be6add65015522c7dfe39250d0049930ec2bf13e2846f5e2c450d19

SHA512
839f57ed7a2ffeb7cb359a4c548eeaafa107d8e1657f95122af6fc2c7490082639f7a3ed9dba342ca2bbc616a3110c1940393c0576b7bff833780620ef3904fa

Download Submit
C:\Users\Admin\Desktop\PopStop.mht.payfast.609-994-08D

MD5
6e5b7253d982588be0b9b6fc1a9188fa

SHA1
7010d9a0046df92706dc2d5a699a2b86074a6f29

SHA256
698b159fb1b6a9d8cfb87d9d6fcd33efe6840a02859fc620a7139ff90b17fde2

SHA512
bd052168864e5f8c23faa22775b9251a59c74472c3e5341b6dccbdcf769f852c4aa09b1daea0f11a2b723f9b7b5fcff7ba7a548e8f9f2ccee12645b188ac829b

Download Submit
C:\Users\Admin\Desktop\PushComplete.wmv.payfast.609-994-08D

MD5
bd64d430671c848048aa1b8d5fab3ba6

SHA1
1df2ae7845352b3b57e84cbe6676199ab827465b

SHA256
19cb1b56a89d7c5963e1ac75ad33bdee4af34579636c09659679aad46602f3f4

SHA512
7bad5b8cf0d6fe697810ce870621f9610f4f227fb437c3b0f12fd44a75e7ec6afb0998e3b9b9deef1c76a2d2a2271ca6609ac54851c43acfbd63bacffd0c81c0

Download Submit
C:\Users\Admin\Desktop\RedoConnect.mpp.payfast.609-994-08D

MD5
e7f187f6c7508c35a7920d6fb904a6e7

SHA1
166af2fd71005a266495037b41bbbe8f5ca59ca9

SHA256
dcc4ae9911ee21f833dd415e83d6724689b212d05ac55d84db54ea1b583d1d81

SHA512
60171521a2f9bdfbb68644f0273ecdc4558a02149fb0a8e310b07c6d349b4afd4542a309dcb80232dd7d798682afea53ea670449143a335a5e72669e497a1570

Download Submit
C:\Users\Admin\Desktop\RepairReset.mp3.payfast.609-994-08D

MD5
89178bd45f54d0e3613178af8f3f7e5a

SHA1
66b381c3e045eba68dfe6e53f2d03c397fb539f4

SHA256
995aac639fcc3c8d3b25399d8353be0f1feb5e65de20ac000495922acae2f943

SHA512
1b3ef092bb3eee529ce99352d22b1d7987c1a5f8e85de2602b84bd039d6b1d3c45ecd784c16a83f1f34c68fefb656924a5b7b88c09793d445c3c7189f681ff20

Download Submit
C:\Users\Admin\Desktop\ResizePublish.wvx.payfast.609-994-08D

MD5
4e27388074b0112fa97be442b394bb20

SHA1
67450125befa30605edbcd9c4625c152f29c6c55

SHA256
cd5066d23ee996ca592617ef4649cbbb2ce2e050f1cfe4273a4f88a3634c0fc0

SHA512
39a809aceb2413b11f8033fd86889fea187985b4945becd9c7d1f8df15d91768abfc688c13ec193d60aee49730af7e2e22f3f02b33b64f151d75d5ee2bbfcb2e

Download Submit
C:\Users\Admin\Desktop\RestartTest.xls.payfast.609-994-08D

MD5
e0afa82e8fcfa809a6c27143b3d08689

SHA1
9f73987c40dcf01d6fa33627ee239934ec6fe7b6

SHA256
9a13c7599e1abe08537038600ee58f5ff06ac02fa32b58e16b98f75118ba7157

SHA512
4e441147bf93ed91f1b1642c5cd299e892de66742898bdb75c7331f5f08a4f64b5d765cf7fb3ccc81df0fbf2a8a7b12049882bf81c4b2af395f0793629e112f2

Download Submit
C:\Users\Admin\Desktop\ResumeReceive.wmf.payfast.609-994-08D

MD5
32938ebc5ef9ee3f3bc8ac96d9b86753

SHA1
952ba8a74d50ff20d8b2e84ad769cc141485cad3

SHA256
1f324418cef7eb33672db450cc049fa27eb8e98cab4a82d33409baee41d833e4

SHA512
13ad10e6c12fbbb8604b06a6aaa1250b3a13d71d8d98159a60cd326f20894fad9ed90537e90cc917a004814cb654b84bf60b9737b4b35ec44983e8d768d9dde3

Download Submit
C:\Users\Admin\Desktop\ResumeShow.asp.payfast.609-994-08D

MD5
322493867144e61c345065a20434086e

SHA1
daba6f3b0d1183bd8ff4c73d68a39ae180a922a0

SHA256
e555b7afc119e739b2ffbce7711458e8151d7702108fb923c7bbb1c2cd746275

SHA512
728b2eefa2961b4d26bdf0b70e8c20b5f01192e78e63236ec4971e216b581fa49347bee4a047a7e39ca2f4fb121aa195d48d10b20d4c7dae6176b3973a77aabc

Download Submit
C:\Users\Admin\Desktop\StopRename.ini.payfast.609-994-08D

MD5
3cdb4546970b6b61120b27ef225536cb

SHA1
460837e83f505a0e2dad2f620ba87b19cf8d5c90

SHA256
d207d316971273b16de9d363e347ccd86982f6e8c815e4409592b47764a51881

SHA512
d1d691b96d0eefa0ab647023170cedf8f04f36bb641735f5b8cea84230568ce29e0f6fa5901093f1bb63239152739d47e462eae326682551b96f0f9730e0ca76

Download Submit
C:\Users\Admin\Desktop\UndoSubmit.rtf.payfast.609-994-08D

MD5
65d2de92e7f4168397459662716b7eab

SHA1
7c70fc506b0ee42cf6920ac3cd9b8aca200a91c7

SHA256
64e4e1b759a7522dd4b1a413d5b5eb295c5eafacfaca3bd3330c1e0913cefb37

SHA512
0d6314d5892380bd5d2b9d27a5149aabb5c26dfbc20c619aae1aec55649f82d9824bb0ce9f93f0e1df4ec7ef4b0c7a3d55fd1577abb406818087c8beb0811b58

Download Submit
C:\Users\Admin\Desktop\UninstallSkip.wvx.payfast.609-994-08D

MD5
42534e01f179d00543308d794b9be6e4

SHA1
e08293260e462ab78729d90d6f6ceebef3df959a

SHA256
279e7945e16a1db3366950a4f84bd835dc66fb935c708b5cd9322007bef4ab1c

SHA512
2497a4466bf4939fb1c8a9e45caacd156b68c75d8bea3a4ea97cd37acd738fa8596b11bf5519b6b448c00f4d3cc45d989a68de0c94a1d0c696861be7ed87b41d

Download Submit
C:\Users\Admin\Desktop\UseMerge.txt.payfast.609-994-08D

MD5
c63abd44614e788bcf7f90cce21b2dd5

SHA1
1e4558d7aa44fba261cc038d02099874ab52132b

SHA256
2b7dd471c5090507d235a3b992e4e9c15713eca094ba2fde615f8753953f2feb

SHA512
78d5e1b92ddf28b4a1af5c2171c409faa028a77d9e2c8f0e1a7db5bf868c43b8e75923e913215c61b1aa097f441fa955affaee28392d53a257f5df9177061a78

Download Submit
memory/196-156-0x0000000000000000-mapping.dmp

Download
memory/196-158-0x0000000000160000-0x0000000000169000-memory.dmp

Filesize
36KB

Download
memory/196-157-0x0000000000170000-0x0000000000175000-memory.dmp

Filesize
20KB

Download
memory/484-182-0x0000000000000000-mapping.dmp

Download
memory/640-162-0x0000000000000000-mapping.dmp

Download
memory/640-163-0x0000000000590000-0x0000000000594000-memory.dmp

Filesize
16KB

Download
memory/640-164-0x0000000000580000-0x0000000000589000-memory.dmp

Filesize
36KB

Download
memory/852-175-0x0000000000000000-mapping.dmp

Download
memory/1176-176-0x0000000000000000-mapping.dmp

Download
memory/1408-174-0x0000000000000000-mapping.dmp

Download
memory/1920-155-0x0000000000310000-0x000000000031F000-memory.dmp

Filesize
60KB

Download
memory/1920-153-0x0000000000000000-mapping.dmp

Download
memory/1920-154-0x0000000000320000-0x0000000000329000-memory.dmp

Filesize
36KB

Download
memory/2096-166-0x0000000000690000-0x0000000000695000-memory.dmp

Filesize
20KB

Download
memory/2096-167-0x0000000000680000-0x0000000000689000-memory.dmp

Filesize
36KB

Download
memory/2096-165-0x0000000000000000-mapping.dmp

Download
memory/2204-140-0x0000000000000000-mapping.dmp

Download
memory/2444-183-0x0000000000000000-mapping.dmp

Download
memory/2496-137-0x00000000012E0000-0x00000000012EC000-memory.dmp

Filesize
48KB

Download
memory/2496-136-0x00000000012F0000-0x00000000012F7000-memory.dmp

Filesize
28KB

Download
memory/2496-173-0x0000000000000000-mapping.dmp

Download
memory/2496-131-0x0000000000000000-mapping.dmp

Download
memory/2768-171-0x0000000000000000-mapping.dmp

Download
memory/3008-116-0x0000000001DE0000-0x0000000001DEA000-memory.dmp

Filesize
40KB

Download
memory/3020-117-0x0000000000640000-0x0000000000656000-memory.dmp

Filesize
88KB

Download
memory/3020-192-0x0000000000670000-0x0000000000686000-memory.dmp

Filesize
88KB

Download
memory/3032-178-0x0000000000000000-mapping.dmp

Download
memory/3064-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3064-115-0x0000000000402FAB-mapping.dmp

Download
memory/3516-152-0x0000000000CD0000-0x0000000000CDB000-memory.dmp

Filesize
44KB

Download
memory/3516-139-0x0000000000000000-mapping.dmp

Download
memory/3516-151-0x0000000000CE0000-0x0000000000CE7000-memory.dmp

Filesize
28KB

Download
memory/3676-168-0x0000000000000000-mapping.dmp

Download
memory/3676-181-0x0000000000A20000-0x0000000000A29000-memory.dmp

Filesize
36KB

Download
memory/3676-180-0x0000000000A30000-0x0000000000A35000-memory.dmp

Filesize
20KB

Download
memory/3748-138-0x00000000040B0000-0x00000000041BA000-memory.dmp

Filesize
1.0MB

Download
memory/3748-177-0x0000000008910000-0x0000000008911000-memory.dmp

Filesize
4KB

Download
memory/3748-185-0x0000000008D50000-0x0000000008D51000-memory.dmp

Filesize
4KB

Download
memory/3748-186-0x0000000008B80000-0x0000000008B81000-memory.dmp

Filesize
4KB

Download
memory/3748-184-0x0000000008C30000-0x0000000008C31000-memory.dmp

Filesize
4KB

Download
memory/3748-172-0x0000000009370000-0x0000000009371000-memory.dmp

Filesize
4KB

Download
memory/3748-170-0x0000000008E40000-0x0000000008E41000-memory.dmp

Filesize
4KB

Download
memory/3748-121-0x0000000000000000-mapping.dmp

Download
memory/3748-125-0x00000000011F0000-0x00000000011F2000-memory.dmp

Filesize
8KB

Download
memory/3748-135-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/3748-134-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3748-133-0x0000000004210000-0x0000000004211000-memory.dmp

Filesize
4KB

Download
memory/3748-132-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/3748-169-0x0000000008740000-0x0000000008741000-memory.dmp

Filesize
4KB

Download
memory/3748-127-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

Filesize
4KB

Download
memory/3748-128-0x000000007EA20000-0x000000007EDF1000-memory.dmp

Filesize
3.8MB

Download
memory/3916-129-0x0000000001000000-0x0000000001074000-memory.dmp

Filesize
464KB

Download
memory/3916-130-0x0000000000D80000-0x0000000000DEB000-memory.dmp

Filesize
428KB

Download
memory/3916-124-0x0000000000000000-mapping.dmp

Download
memory/3952-118-0x0000000000000000-mapping.dmp

Download
memory/4084-161-0x00000000007D0000-0x00000000007DC000-memory.dmp

Filesize
48KB

Download
memory/4084-160-0x00000000007E0000-0x00000000007E6000-memory.dmp

Filesize
24KB

Download
memory/4084-159-0x0000000000000000-mapping.dmp

Download
memory/4208-190-0x0000000000402FAB-mapping.dmp

Download
memory/4444-220-0x0000000000000000-mapping.dmp

Download
memory/4444-221-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download